Open Identity Exchange
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
The Open Identity Exchange (OIX) is a non-profit organisation that works to accelerate the adoption of digital identity services based on open standards. It is a non-profit organisation and is technology-agnostic and operates collaboratively across both the private and public sectors.[1]
History
[edit]Genesis
[edit]Shortly after coming into office, the Obama administration asked the General Services Administration (GSA) how to leverage open identity technologies to help the American public interact more easily and efficiently with federal websites, such as those of the National Institutes of Health (NIH), the Social Security Administration (SSA), and the Internal Revenue Service (IRS).
At the 2009 RSA Conference, the GSA sought to build a public/private partnership with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) to craft a workable identity information framework that would establish the legal and policy precedents needed to establish trust for Open ID transactions.
This partnership eventually developed a trust framework model. Further meetings were held at the Internet Identity Workshop in November 2009, resulting in OIDF and ICF forming a joint steering committee. The committee's task was to study the best implementation options for the newly created framework.[2]
Foundation
[edit]The US Chief Information Officer recommended the formation of a non-profit corporation, the Open Identity Exchange (OIX). In January 2010, the OIDF and ICF approved grants to fund the creation of the Open Identity Exchange. Booz Allen Hamilton, CA Technologies, Equifax, Google, PayPal, Verisign, and Verizon were all members of either OIDF or ICF, and agreed to become founding members of OIX.[2]
Launch
[edit]The Open Identity Exchange was publicly launched at RSA 2010. It cited the following challenges for building trust in online identity:[2]
- Relying Parties must be able to trust that the Identity Provider is providing accurate data.
- Identity Providers must be able to trust that the Relying Party is legitimate (i.e., not a hacker or phisher).
- Direct trust agreements between relying parties and identity provider trust agreements are a common solution but are unmanageable at Internet scale.
OIXnet
[edit]In 2014, OIX established the OIXnet trust registry, a global authoritative registry of business, legal, and technical requirements needed to ensure market adoption and global interoperability.[3]
In 2015, the OIDF also announced plans to register all companies self-certifying conformance to OpenID Connect via the OpenID Certification Program on OIXnet.[4]
Purpose
[edit]OIXnet is an official, online, and publicly accessible repository of documents and information relating to identity systems and participants, referred to as a “registry”. It functions as an official and centralised source of such documents and information, much like a government-operated recorder of deeds. Individuals and entities can register documents and information with the OIXnet registry to provide notice of their contents to the public.Members of the public seeking access to such documents or information can go to that single authoritative location to find them.
The OIXnet registry is designed to provide a single, comprehensive and authoritative location where documents and information relating to a specific purpose, such as identity systems, can be safely stored to notify others of certain facts. From this location, such documents and information can be accessed by interested stakeholders seeking such information.
Early participants
[edit]OIXnet was launched in 2015. The OpenID Foundation was the first registrant, registering the initial set of organisations, including Google, ForgeRock, Microsoft, NRI, PayPal and Ping Identity, certifying conformance to OpenID Connect. Additional registrations were added to OIXnet throughout 2015 and 2016, with 10 trusted identity services currently registered.
Status
[edit]The OIXnet registry was in a pilot phase as of 2016, registering new and diverse trust frameworks and communities of interest.
International Chapters
[edit]OIX developed a chapters policy in 2015 that allows regional OIX chapters to be established. In 2016, the OIX United Kingdom Chapter was approved by OIX board and launched.
Leadership
[edit]The OIX board represents leaders in online identity in the internet, telecom, and data aggregation industries, concerned with both market expansion and information security.
Government relations
[edit]The OIX board met with Howard Schmidt in 2011[5] to discuss the public–private partnership envisioned in the NSTIC strategy.
The UK government's Cabinet Office joined the OIX at the board level, as it began the work on its Identity Assurance Programme, which is now GOV.UK Verify.[6]
In 2015, the States of Jersey commissioned an OIX Discovery project to explore how the knowledge, expertise, and components of one of these models, the UK’s GOV.UK Verify identity assurance scheme, could be leveraged to provide a cost-effective solution to meet Jersey’s requirements.[7]
Membership
[edit]The Open Identity Exchange currently has five executive members and over 50 general members.[8]
Executive Members
|
OIX UK Europe Chapter
[edit]At the beginning of 2015, the Cabinet Office requested Open Identity Exchange to begin exploring the legal, business, and pragmatic considerations of creating a self-sustaining UK ‘chapter’ of the Open Identity Exchange. Up until that point, OIX UK operated as an independent UK entity, able to administer ‘directed funding’ from member organisations.[9] It had received a series of grants from the UK Cabinet Office, that were used for the collaboratively funded projects.
An ad hoc board of advisers was formed of independent, experienced, public and private sector leaders who addressed policy considerations during this transition process. In addition to considering the role of OIX UK in the future, this board of advisers considered the private sector's needs for identity services,[10] resulting in an ongoing OIX project.[11]
The Open Identity Exchange board of directors approved an OIX chapters policy at the end of 2015, allowing the formation of individual chapters affiliated with OIX in various local markets. In April 2016 the OIX UK Europe Chapter appointed its board of directors.[citation needed]
White Papers
[edit]The OIX White Papers deliver joint research to examine a wide range of challenges facing the open identity market and to provide possible solutions. They are written by experts in the fields of technology, particularly open identity.
OIX
[edit]- OIX: An Open Market Solution for Online Identity Assurance
Trust Frameworks
[edit]- Trust Framework Requirements and Guidelines
- The Personal Network: A New Trust Model and Business Model for Personal Data
- Federated Online Attribute Exchange Initiatives
- Personal Levels of Assurance (PLOA)
- The Three Pillars of Trust[12]
UK Identity Assurance Programme (IDAP)
[edit]- Overview of Legal Liability in the IDAP (In development)
- Comments on US NSTIC Steering Group Draft Charter and Related Governance Issues
- United States National Strategy for Trusted Identities in Cyberspace Identity Ecosystem Steering Committee Plenary and Governing Board Charter
- OIX Response to "Models for a Governance Structure for the National Strategy for Trusted Identity in Cyberspace"
White Papers Published in 2016
[edit]Open Identity Exchange (OIX) White Papers focus on current issues and opportunities in emerging identity markets. OIX White Papers are intended to deliver value to the identity ecosystem and take one of two perspectives: a retrospective report on the outcome of a given project or pilot or a prospective discussion on a current issue or opportunity. OIX White Papers are authored by independent domain experts and are intended as summaries for a general business audience.
Recent published whitepapers include:
• Use of online activity as part of the identity verification[14]
• UK private sector needs for identity assurance[15]
• Use of digital identity in peer-to-peer economy[16]
• Shared signals proof of concept[17]
• Creating a digital identity in Jersey
• Just Giving and GOV.UK Verify
• Creating a pensions dashboard[18]
• Could digital identities help transform consumers attitudes and behavior towards savings?[19]
• Digital identity across borders: opening a bank account in another EU country
• Generating Revenue and Subscriber Benefits: An Analysis of: The ARPU of Identity[20]
Projects
[edit]OIX projects deliver joint research to examine a wide range of challenges facing the open identity market and to provide possible solutions.
States of Jersey: Creating a Digital ID
[edit]The hypothesis was that the UK Government identity assurance model could be adapted for Jersey with the support of certified UK IdPs and potential identity assurance hub providers, to meet the requirements of SoJ. The hypothesis also considered that this would create an attractive market opportunity in Jersey for one or more of these providers.[21]
LIGHTest Project
[edit]This is a 3-year project that started in September 2016 and is partially funded from the European Union's Horizon 2020 research and innovation programme under G.A. No. 700321. The LIGHTest consortium consists of 14 partners from 9 European countries and is coordinated by Fraunhofer-Gesellschaft. The project looks to reach out beyond Europe, to build a global community.
LIGHTest (Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Stakeholders and Trust schemes)
The objective of LIGHTest is to create a global cross-domain trust infrastructure that renders it transparent and easy for verifiers to evaluate electronic transactions. By querying different trust authorities worldwide and combining trust aspects related to identity, business, reputation etc,. it will become possible to conduct domain-specific trust decisions.
This is achieved by reusing existing governance, organization, infrastructure, standards, software, community, and know-how of the existing Domain Name System, combined with new innovative building blocks. This approach allows an efficient global rollout of a solution that assists decision-makers in their trust decisions. By integrating mobile identities into the scheme, LIGHTest also enables domain-specific assessments on Levels of Assurance for these identities.
GOV.UK Verify
[edit]The UK Government's Cabinet Office joined the OIX at board level as it began the work on its Identity Assurance Programme (IDAP). Through the OIX Directed Funding programme, a considerable number of projects continue to be carried out under OIX governance, the results of which have helped with the ongoing development of GOV.UK Verify. Work continues as GDS looks at how digital identities can be used in both the public and private sector.
GOV.UK Verify is built and maintained by the Government Digital Service (GDS), part of the Cabinet Office. The UK Government is committed to expanding GOV.UK Verify and helping to grow a market for identity assurance that will be able to meet user needs in relation to central government services, as well as local, health and private sector services. GOV.UK Verify uses certified companies to verify your identity to government. A certified company is a private company that works to high industry and government standards when they verify your identity.
References
[edit]- ^ "The Open Identity Exchange". OIX. April 12, 2024. Retrieved April 12, 2024.
- ^ a b c "OIX - Site Content - Page - About". openidentityexchange.org. Retrieved 2024-09-12.
- ^ "Open Identity Exchange Launches OIXnet: A Global Registry for Trust Frameworks | PYMNTS.com". Retrieved 2016-12-05.
- ^ "The OpenID Foundation Launches OpenID Connect Certification Program - OpenID Foundation". 2015-04-17. Retrieved 2024-09-12.
- ^ State of the Net 2011 Keynote: Howard Schmidt. Accessed 2013-08-16.
- ^ "GOV.UK Verify - GOV.UK". www.gov.uk. Retrieved 2016-11-28.
- ^ "OIX - Site Content - Page - Projects". 2024-09-12. Archived from the original on 2024-09-12. Retrieved 2024-09-12.
- ^ "OIX - Site Content - Page - Members". openidentityexchange.org. Retrieved 2024-10-17.
- ^ "OIX Directed Funding Policy" (PDF). Open Identity Exchange.
- ^ "Identity assurance and the private sector - a discovery project - GOV.UK Verify". Retrieved 2017-07-30.
- ^ "Private Sectors Requirements for Identity Services". OIX. Retrieved 2017-07-30.
- ^ The Three Pillars of Trust. Booz Allen Hamilton. Accessed 2013-07-31.
- ^ "DG - NSTIC - Archived Groups - Kantara Initiative". kantarainitiative.org. Retrieved 2016-12-05.
- ^ "Report suggests Facebook activity could be used for online identity verification | PublicTechnology.net". www.publictechnology.net. 26 July 2016. Retrieved 2016-11-28.
- ^ "Survey: 81% of UK companies want cross-industry digital ID options - SecureIDNews". SecureIDNews. Retrieved 2016-11-28.
- ^ "GOV.UK Verify | Digital Identity - We Are Snook". We Are Snook. 2016-06-10. Retrieved 2016-12-05.
- ^ "Protecting High Assurance Commercial Identity Providers - Confyrm". Confyrm. 2016-06-05. Retrieved 2016-12-05.
- ^ "Press release: Money Advice Service on behalf of the Open Identity Exchange publishes recommendations for Pension Finder Dashboard - Money Advice Service". www.moneyadviceservice.org.uk. Retrieved 2016-11-28.
- ^ "TISA Newsletter" (PDF).
- ^ "Analytical Models - Whitepapers". www.analyticalmodels.com.au. Retrieved 2016-12-05.
- ^ Ferbrache, Marcus (2016-07-12). "Towards a digital ID: part 4". Official States of Jersey Blog. Retrieved 2016-11-29.